In the past, reCaptcha was used as a fallback for the SafetyNet API. However, since February 2023, no new project can use the SafetyNet API anymore. It seems like the successor – the Play Integrity API – cannot do the same job as the SafetyNet API.
All the time I’m getting a reCaptcha verification "Verifying you’re not a robot…". This is not only for "native Android apps" but I heard also people complaining with React Native or Flutter apps about that problem.
I enabled the Play Integrity API in my Play Console and also linked it to my Firebase project as you can see in the following screenshots.
I also contacted the Google Support about that but to be honest that was very confusing. We exchanged a lot of emails and a lot of suggestions were to use the SafetyNet API (which is impossible because its not even listed anymore on GCP). In one email they write:
Unfortunately, we are unable to provide a timeline for Play Integrity API phone authentication implementation. For now, you can use reCAPTCHA verification for phone number authentications. SafetyNet deprecation is not related to reCAPTCHA API. The two SafetyNet APIs are independent, and the Attestation API deprecation will not affect the reCAPTCHA API. You can still use this API even after migrating to Play Integrity API.
Am I doing something wrong here? What are your suggestions to solve it?
2
Answers
// Update:
As Mike Hardy points out correctly, the latest release of firebase-android-sdk supports this now.
// Original answer
Probably thats not the answer you all want to hear but unfortunately, the Play Integrity API does not support this use case at the moment.
I exchanged quite a few emails with the Google Support. The main takeaway was this:
The recommended fallback solution is to further use the SafetyNet Attestation API (which you cannot use out of the box if your project was created after 31 January 2023). However, you can apply to use the SafetyNet Attestation API. To be transparent with you: The whole application process took around three weeks for my project.
If you got approved, you have to go to the library page in your Google API Console and activate the "Android Device Verification API".
So my project setup is the following now:
It works: I'm not seeing recaptchas anymore :)
As of the latest firebase-android-sdk (included already in latest react-native-firebase), auth supports Play Integrity now.
You’ll need to make sure the app is actually installed from the Play Store for it to work.